using a policy spaces auditor to check for temporal inconsistencies in healthcare audit log files
DESCRIPTION
The core tenet of the healthcare field is that care delivery comes first and nothing should interfere with it. Consequently, the access control mechanisms, used in healthcare to regulate and restrict the disclosure of data, are often bypassed, especially in emergency cases. This concept is called ‘break the glass’ (BtG) phenomenon and is common in healthcare organizations. Though useful and necessary in emergency situations, from a security perspective, it is an important system flaw. Malicious users can exploit the system by breaking the glass to gain unauthorized privileges and accesses. Also, as the proportion of system accesses that are BtG increases, it becomes easier for an attacker to hide in the crowd of the audit log. In this paper, we build upon existing work that defined policy spaces to help manage the impact of the break the glass phenomenon in healthcare systems. We present a system that enables the inference and discovery of facts that require further scrutiny. This significantly reduces the burden on the person investigating potentially suspicious activity in the audit logs of healthcare information systems.TRANSCRIPT
USING A POLICY SPACES AUDITOR TO CHECK FOR TEMPORAL INCONSISTENCIES
IN HEALTHCARE AUDIT LOG FILES
Tyrone Grandison, Sean Thorpe
LACCEI Symposium of Health Informatics in Latin America and the Caribbean 2013
2
Outline
Motivation Goal Prior Work Policy Spaces Policy Evaluation Flow System Conclusion
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
3
Motivation
Healthcare Core Tenet – Nothing interferes with care delivery.
Healthcare security controls are often bypassed. Called ‘break the glass’ (BtG). Though useful and necessary in emergencies, it is a security
hole. Malicious users can gain unauthorized privileges & accesses by
breaking the glass.
‘Break the Glass’ activity: Is no longer the exception. Is logged in healthcare audit files.
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
4
Goal
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Help to determine when Break the Glass is being abused Leverage prior work. Analyze audit logs to spot temporal
inconsistencies. Bring them to the attention of the security team.
5
Prior Work
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Policy Coverage (Bhatti and Grandison, 2007). Access Control policy should state what happens in the
security system. Increase the coverage of policy by mining BtG requests in audit log.
Policy Spaces (Ardagna et al., 2008) Builds on Bhatti and Grandison (2007) & defines model of
audit log space. Exception-based access control (Ardagna et al., 2010)
Creates a more rigorous model from Ardagna et. al. (2008).
6
Policy Spaces
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Authorized Accesses (P+). Traditional access control policies. Intuitively, P+ includes positive authorizations regulating
‘common practice’. Denied Accesses (P−).
Access control policies that are used to prevent abuses. Policies in this space are meant to limit exceptions that can
result in unauthorized accesses exploiting BtG.
7
Policy Spaces
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Planned Exceptions (EP). Regulate access requests that do not fall into the normal routine.
i.e. exceptions that can be foreseen, for example, according to past observations. Associated with, and indexed by, conditions on the context information
represented by attributes in exception space E and on dynamic information in the profiles (e.g., status of the patient), which are used to restrict their applicability.
Policies in EP cannot override policies in P−. Unplanned Exceptions (EU).
Policies regulating all access requests not covered by the previous policy spaces (P+, P−, and EP).
Space EU is composed of two sub-spaces, denoted EU+ and EU-, respectively. EU- enforces the deny-all default policy and is applicable to all requests that happen in non-
emergency cases, when the enforcement of the BtG principle would be an abuse. EU+ enforces the permit-all default policy and is applicable to all requests that happen in emergency
situations, thus allowing all accesses not explicitly allowed or denied by policies in other spaces. All the accesses falling in EU are inserted into an auditing log for a posteriori analysis.
8
Policy Evaluation Flow
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
9
System
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Policy Spaces tool identifies log entries belonging to each space.
Our system (BtG policy space auditor) examines rules in EU. Enables the health care system administrator, an auditor or a
forensic user to specify a timeline and an unplanned exceptions (EU) set to be checked for temporal inconsistencies.
Uses Happened-before relation
Implies an activity timeline. Assumes a set of records stating when action occurred.
Simple logic
10
System Use
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Construct an audit log timeline i.e. a sequence over the set of events
The BtG space log auditor is launched to evaluate all the events ordered by their timestamp.
If an event evta has a happened-before relation to evtb, but the audit kernel log timestamp (tb) of evtb suggests that evtb occurred before evta then ta and tb are inconsistent.
11
Example
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Event 1: A patient p must be admitted into the hospital before any other actions are.
Event 2: A healthcare practitioner x cannot prescribe medication for patient p before they have been checked in.
If a prescription event evtb occurs, the check-in event evta must happen before it, and evtb must happen before the check-out event evtc.
The physical time tc at which the event evtc must have occurred must be after the physical time tb at which the event evtb must have occurred, which must in turn be after the physical time ta at which the event evta must have occurred.
12
Conclusion
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
Breaking the Glass is a necessary evil. Policy Spaces streamlines and optimizes the
different types of healthcare security requests. Leveraging Policy Spaces and a rule-based
auditing tool, it is possible to easily detect suspicious activity. We present temporal inconsistencies. However, we expect to explore a range of other
inconsistencies.
13 THANK YOU
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
14 BACKUP
August 14th, 2013LACCEI Symposium of Health Informatics in Latin America and the Caribbean
LACCEI Symposium of Health Informatics in Latin America and the Caribbean
15
References
August 14th, 2013
Ardagna, C. A., De Capitani di Vimercati, S., Foresti, S., Grandison, T. W., Jajodia, S., and Samarati, P. (2010).“Access control for smarter healthcare using policy spaces”. Computers & Security, 29(8), 848-858.
Ardagna, C. A., di Vimercati, S. D. C., Grandison, T., Jajodia, S., and Samarati, P. (2008).“Regulating exceptions in healthcare using policy spaces”. In Data and Applications Security XXII (pp. 254-267). Springer Berlin Heidelberg.
Bhatti, R., and Grandison, T. (2007). “Towards improved privacy policy coverage in healthcare using policy refinement”. In Secure Data Management (pp. 158-173).Springer Berlin Heidelberg.
Grandison, T., and Davis, J. (2007). “The impact of industry constraints on model-driven data disclosure controls”, In Proc. of the 1st International Workshop on Model-Based Trustworthy Health Information Systems, Nashville, Tennessee, USA.
Rostad, L., and Edsberg, O. (2006). “A study of access control requirements for healthcare systems based on audit trails from access logs”, in: Proc. of the 22ndAnnual Computer Security Applications Conference, Miami Beach, Florida, USA.
Thorpe, S., Ray, I., Grandison, T., Barbir, A., France, R. (2013). “Hypervisor Event Logs as a Source of Consistent Virtual Machine Evidence for Forensic Cloud Investigations”, in: Proc. Of the 27th Annual IFIP WG11.3 Working Conference on Data Security and Privacy(DBSEC), Newark, New Jersey, USA.
Gladyshev, P., and Patel, A. (2005). “Formalizing event time bounding in digital investigations,” International Journal of Digital Evidence. Vol. 4.